---
title: Bind9 zone file configuration
x-toc-enable: false
...

Here is a *real world* example zone file, the one used on 26 December 2022
for [libreboot.org](https://libreboot.org/) - this example is shown, because
its quite fleshed out, and includes *e-mail* configuration:

```
;
; BIND data file for local loopback interface
;
$TTL	604800
@	IN	SOA	ns1.shlinux.org. leah.libreboot.org. (
		       20221230		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
libreboot.org.	IN	NS	ns1.shlinux.org.
libreboot.org.  IN      NS      ns2.shlinux.org.
libreboot.org.	IN	CAA	0 issue "letsencrypt.org"
libreboot.org.	IN	CAA	0 iodef "mailto:leah@libreboot.org"
libreboot.org.	IN	A	81.187.172.132
libreboot.org.  IN      AAAA    2001:8b0:b95:1bb5::4
libreland	IN	A	81.187.172.132
libreland	IN	AAAA	2001:8b0:b95:1bb5::4
mail		IN	A	81.187.172.132
mail		IN	AAAA	2001:8b0:b95:1bb5::4
rsync		IN	A	178.79.166.69
rsync		IN	AAAA	2a01:7e00::f03c:91ff:fe1f:5810
av		IN	A	178.79.166.69
av		IN	AAAA	2a01:7e00::f03c:91ff:fe1f:5810
www		IN	A	81.187.172.132
www		IN	AAAA	2001:8b0:b95:1bb5::4
foo		IN	A	81.187.172.132
foo		IN	AAAA	2001:8b0:b95:1bb5::4
git		IN	A	81.187.172.132
git		IN	AAAA	2001:8b0:b95:1bb5::4
browse		IN	A	81.187.172.132
browse		IN	AAAA	2001:8b0:b95:1bb5::4
201707._domainkey IN	TXT	 ( "v=DKIM1; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDJmTvK63zUlEBiUkWKBzq+55cxGSX8I"
"BCA5IpxfkRGgOYFIrYtVcvLKzFwfgQeHicrIIIhi9uYk9rH0e8OMk6Q3KPw78RKn8mD7LJk0NtZ0t0"
"l/tF+Q4RXR7NlAGVQ7BDPg3QJeSBJZoZAGu4GQmhwX727DyiGVRf1xVtxwSY0j2VDd6wlw22CrT/t1"
"282lYjcaDZhCcPCDdp6klLqBk4D6ljGCDWWzsbcY6Jk1y1j9DVKDXik54qMHyQi1SHs/MBEqaQYvIE"
"LPnNvh2wmJMQ+ZQooo48q2wMyy3zkJrKJSL5iYa16alZbqn8Wsm1ZUezcSQ/"
"70dwTQKfO6qv96+QIDAQAB")
_dmarc		IN	TXT	"v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rf=afrf; rua=mailto:dmarc@libreboot.org; ruf=mailto:dmarc@libreboot.org; pct=100"
libreboot.org.	IN	TXT	"v=spf1 a mx ip4:81.187.172.132 ip6:2001:8b0:b95:1bb5::4 -all"
libreboot.org. 	IN	MX	10 mail
```

From the above, *this* line is of extreme importance:

```
		       20221230		; Serial
```

When you make changes to the zone file, do *not* save them until the following
conditions are met:

* You are fully satisfied with the new specification
* You have *updated* the Serial line. You *must* change the serial every
  time. I typically just put today's date, being the day I edited the file.
  (if I make several edits in a single day, I add a digit)

The crypto key above is a *public key* generated by OpenDKIM, which I use for
my mail server. This public key goes in your DNS records, so that mail servers
can verify emails received really came from your server, because the private
key (which you should *never* share) is used to sign emails. This is not a
replacement for GPG, but it is used by mail servers for authentication
purposes.

The TXT record showing SPF record is also important. I specifically enter
the exact IP addresses used by my mail server, and I ensure that *only* those
IPs are set on that host. Alternatively, I block the mail server from sending
out on undesirable IP addresses, where multiple IPs are set.

The MX record is also email-related. Email guides will be available on the
Fedfree site before long, if not already available by the time you read this.

The A/AAAA records are domain pointers, resolving to specific IPs. For example,
the `libreboot.org.` entry is for when someone only wants to resolve the top
level domain; the `www` entry is for `www.libreboot.org`, and the `av`
entry is for `av.libreboot.org`. You get the idea.

I generally avoid using CNAME records in my zone files, but it's up to you
how you use DNS for your purposes.

This is a pretty much full config, the type that you would see on a typical
webhosting solution. I run a lot of stuff, on libreboot.org. Some of the
entries in this zone file are even ancient, and should probably be cleaned up.

The `Refresh` line with the corresponding number is TTL, meaning how long it
should be before a caching resolver flushes its entry for the given zone.

You will note that IPv4 and IPv6 addresses are present in this zone file. This
is because I always run dual stack IPv4 and IPv6 on my infrastructure. Even
my personal workstation always has IPv6 on it. I consider IPv4 to be *legacy*
internet, and IPv6 is the real internet, or at least the current version of it.
Everyone should abandon IPv4 as soon as possible. I consider the presence of
A records in my zone files to be for *backwards compatibility* purposes.

That's what IPv4 support is. Backwards compatibility. This is the attitude
that every ISP should have.

Feel free to adapt this config for *your* domain setup.

NOTE: the entry at the top that says `leah.libreboot.org` is actually an
email address, `leah@libreboot.org`, but in zone files you use the dot instead
of the at sign.

CAA
---

If you're making TLS setups (`https://`), you should enable CAA.
It can be used to allow your your preferred CA to issue certs.

CAA records exist, in the above example. More info on these pages:

<https://letsencrypt.org/docs/caa/>

<https://sslmate.com/caa/support>

Handy dandy CAA record generator (use for BIND):

<https://sslmate.com/caa/>

References
==========

ISC's BIND documentation is available here:

<https://gitlab.isc.org/isc-projects/bind9/-/tree/main/doc>

You might find useful information, pertaining to zone files.
